AMI Response to the CTS-Labs Advisory of 13 Security Flaws in AMD Ryzen and EPYC Processors

Mar 19, 2018 | AMI in the News

NORCROSS, GEORGIA, USA – AMI, a global leader in BIOS and UEFI firmware, server and remote management tools, data storage products and unique solutions based on the Linux® and Android™ operating systems, has released a statement in response to the recent news of security flaws discovered by CTS-Labs in the AMD Ryzen™ and EPYC™ processor lines.

Recently, a report came out that a security company, CTS-Labs, discovered potential security flaws in the AMD Ryzen and EPYC processor lines and gave AMD 24 hours’ notice that the information was going to be released publicly. Typically, the software industry allots a 3-6 month period before information is released to the public, allowing the affected company to mitigate the issues and preserve end-user confidentiality. According to a news article covering the topic of these potential security flaws, “CTS-Labs cite that AMI, a common BIOS provider for Ryzen systems, makes a BIOS re-flash very easy, assuming the attacker has a compatible BIOS”. In response to this statement, AMI would like to provide some clarification and address concerns that may arise when it comes to secure BIOS update processes.

AMI would like to reassure users of AMI’s products that AMI makes security a top priority when it comes to its products and services. AMI has in fact made the BIOS update process easy for its end users with various security protocols in place to prevent malicious and/or unauthorized BIOS updates. It is important to note that the update process is “easy” only when using the original BIOS images from the motherboard manufacturers. If the BIOS image has been compromised/tampered with by an unknown source, the update process will reject the update, no changes will be made to the BIOS and BIOS re-flash will most certainly not be easy. The only way an attacker can have a “compatible BIOS” is if the attacker had access to the secret, private key of the motherboard manufacturer. This key is secret and private, only available to the motherboard manufacturer; therefore, it is not accessible to the public or potential attackers.

It is understandable that in light of recent news about security vulnerabilities, users are concerned when reports like these come out. However, users of AMI’s BIOS should not be concerned about these reports because as mentioned previously, AMI’s update process makes it so that only motherboard manufacturers can provide BIOS updates and unknown updates will be rejected. Most security firms withhold publicly releasing information regarding security holes, flaws and so on for months. In our industry, 24-hour notice is unheard of.

AMI stands with our technology partners, such as AMD, to help create a secure computing world.

To learn more about Aptio V UEFI Firmware from AMI, please visit ami.com/aptio.

AMD, AMD Ryzen and AMD EPYC are trademarks of Advanced Micro Devices, Inc. in the United States and other countries. All other trademarks are property of their respective owners.

About AMI

AMI is Firmware Reimagined for modern computing. As a global leader in Dynamic Firmware for security, orchestration and manageability solutions, AMI enables the world’s compute platforms from on-premises to the cloud to the edge. AMI’s industry-leading foundational technology and unwavering customer support have generated lasting partnerships and spurred innovation for some of the most prominent brands in the high-tech industry. AMI is also a critical provider to the Open Compute ecosystem and is a member of numerous industry associations and standards groups, such as the Unified EFI Forum (UEFI), PICMG, National Institute of Standards and Technology (NIST), National Cybersecurity Excellence Partnership (NCEP), and the Trusted Computing Group (TCG).

You May Also Like…